Bug 54911 - Allow logging of fields set by a backend server in a reverse proxy configuration
Summary: Allow logging of fields set by a backend server in a reverse proxy configuration
Status: RESOLVED LATER
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_log_config (show other bugs)
Version: 2.2.24
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: MassUpdate
Depends on:
Blocks:
 
Reported: 2013-04-30 17:50 UTC by Phil Pickett
Modified: 2018-11-07 21:08 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Phil Pickett 2013-04-30 17:50:13 UTC
With httpd setup as a reverse proxy in front of a backend Tomcat instance, Tomcat can set the Server reply header by adding the "server" attribute to its HTTP Connector. I.e., 

<Connector acceptCount="100"
           connectionTimeout="20000"
           executor="tomcatThreadPool"
           maxKeepAliveRequests="15"
           server="myBackendServer"
           port="8080"
           protocol="org.apache.coyote.http11.Http11Protocol"
           redirectPort="8443"/>

When examining the reply headers from httpd, I can see that this header is set. This seems to go against the spec (http://www.ietf.org/rfc/rfc2616.txt), section 14.38 where I see:

14.38 Server

   The Server response-header field contains information about the
   software used by the origin server to handle the request. The field
   can contain multiple product tokens (section 3.8) and comments
   identifying the server and any significant subproducts. The product
   tokens are listed in order of their significance for identifying the
   application.

       Server         = "Server" ":" 1*( product | comment )

   Example:

       Server: CERN/3.0 libwww/2.17

   If the response is being forwarded through a proxy, the proxy
   application MUST NOT modify the Server response-header. Instead, it
   SHOULD include a Via field (as described in section 14.45).

Assuming that this would be addressed at some point so that the Server as set by the backend server is not included in the reply from the httpd reverse proxy, it would be nice if the backend values could be recorded before they are munged in mod_proxy so that they could be added to the access log via some new mod_log_config format, e.g. %{field}z.
Comment 1 William A. Rowe Jr. 2018-11-07 21:08:08 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.